Access control management

ABSTRACT

A method of access control management includes determining a private network address for a user in connection with the user accessing a network resource, determining an access control list entry for the user based on an access control policy, translating a public network address to the private network address for the user accessing the network resource, and allowing or blocking the user access based on the access control list entry, wherein determining the access control list entry is performed before translating the public network address to the private network address.

TECHNICAL FIELD

[0001] This invention relates to access control.

BACKGROUND

[0002] The Internet, which allows users to access the resources ofinterconnected computers, also offers the possibility of access tosmaller, private networks (intranets). Intranets typically includesystems that restrict access to the networked resources of the intranetto only authorized users. Networked resources refers to the hardware,software, and data included in a network and accessible to authorizedusers from inside or outside the network.

DESCRIPTION OF THE DRAWINGS

[0003]FIG. 1 is a block diagram.

[0004]FIG. 2 shows data and command flows in the block diagram of FIG.1.

DESCRIPTION

[0005] Referring to FIG. 1, a computer network 10 includes a publicnetwork 20, in this case the Internet 22, connected to a private network30. External computer USERa-USERn (“users”) may access the resources ofthe Internet 22 through computers 24 a-24 n. Users may also attempt toaccess resources of private network 30 by sending access requeststhrough Internet 22 to private network 30. Private network 30 determineswhether to allow or block each user access request.

[0006] Private network 20 includes an access control policy server 38that manages an access policy for private network 20. The variouscomputers and devices included in private network 20 use access controllists (ACLs) to determine and control access to the resources of privatenetwork 20. The ACLs used by the computers and devices included innetwork 20 are maintained and generated by policy server 38, as will beexplained.

[0007] In addition to policy server 38, private network 30 includesother inter-connected computer systems, i.e., a Dynamic HostConfiguration Protocol (DHCP) server 40 that dynamically allocates aprivate IP address for each user of private network 30, and a firewallcomputer 32 that authenticates user requests received from publicnetwork 20 and translates a public IP address for each user request tothe dynamically allocated private IP address from DHCP server 40.Firewall computer 32 also forwards authenticated user requests, alongwith the translated private IP address, to a router 34 that transportsdata within private network 30. Private network 30 also includesapplication server computers 36 a-36 n that provide application programsand data to authorized users.

[0008] Computer systems 32, 34, 36 a-36 n, 38 and 40, interpret datapackets based on one or more functional layers of an Open SystemsInterconnect (OSI) model. For example, router 34 interprets packetsusing the network layer of OSI, and therefore, uses a network layer ACLfrom policy server 38 to determine which packets are to be blocked ortransmitted to a server 36 a-36 n.

[0009] Policy server 38 maintains the access control policy by storingapplication layer ACLs for server computers 36 a-36 n. The applicationlayer ACLs used by server computers 36 a-36 n are specific to eachserver or specific to an application on each server. Application layerACLs do not include the dynamically allocated private IP address fromDHCP server 40, however, a network layer ACL may use the private IPaddress as part of a network layer ACL entry.

[0010] Whenever a private IP address is allocated from DHCP server 40(i.e., a private IP address is assigned to a new access request), policyserver 38 retrieves the appropriate application layer ACL for the accessrequest and generates a corresponding network layer ACL. Policy server38 then sends the generated network layer ACL to each network device,such as router 34, and also to each application server 36 a-36 n thatsupports network layer packet filtering. Policy server 38 also sends theretrieved application layer ACL to those servers 36 a-36 n that do notsupport network layer packet filtering. As each ACL is received by anetwork device or computer system in network 20, the ACL is “installed”by that device or computer system, and then used to determine whether toallow or deny access to a received user access request, as will beexplained. Please note that the ACL retrieval, generation andinstallation is performed before the allocated private IP address issent to firewall computer 32.

[0011] Maintaining the control policy on a centralized policy server 38avoids having to manage separate access policies (and separate ACLs) oneach server computer and network device in private network 30. This alsoassures the horizontal consistency of ACLs that are used in eachapplication layer throughout private network 30. Furthermore, the accesscontrol policy server 38 uses the private IP address allocated at“runtime” to dynamically generate network layer ACLs that map toapplication layer ACLs, both of which are then distributed to theappropriate systems in private network 30. This assures verticalconsistency of ACLs logically across application layers and networklayers.

[0012] An example of a user 24 b attempting to access an applicationfrom server 36 a and 36 b is shown in FIG. 2. Flow arrows (51-59) depictthe sequence of actions required to establish a flow of data (60) for auser 24 b attempting to access an application from server 36 b. In thisexample, user 24 b is allowed access to an application on server 36 b,but denied access to any applications on server 36 a. User 24 b sends(51) a login message through Internet 22. The login message is forwarded(52) through Internet 22 to firewall computer 32. Firewall computer 32authenticates the credentials included in the login message, and sends(53) a DHCP request to policy server 38. Policy server 38 forwards (54)the DHCP request to DHCP server 40. In response to the DHCP request,DHCP server 40 returns (55) a private IP address to policy server 38.Policy server 38 searches the application ACLs stored in access controldatabase and finds an entry that corresponds to “user 24 b is allowed toread from application server 36 b, but not allowed to access otherservers”. Policy server 38 uses the private IP address to generate anetwork layer ACL entry (required by each network layer device, such asrouter 34) that corresponds to the found application layer ACL. Policyserver retrieves the found application layer ACL for each of the servercomputers 36 a-36 n. Then policy server 38 sends (56) the generatednetwork layer ACLs to router 34, and sends (57)(58) the retrievedapplication layer ACLs to servers 36 a and 36 b, respectively. Router34, and servers 36 a and 36 b, install, respectively, the received ACLs,for use in determining access for the user access request.

[0013] Before the installation of ACL entries in router 34 and servers36 a and 36 b, policy server 38 may query the individual servercomputers 36 a and 36 b to determine their packet filteringcapabilities. If policy server 38 determines that a server computer iscapable of performing network layer packet filtering, policy server 38may also send the generated network ACL entry to that server.

[0014] Continuing with the example shown in FIG. 2, policy server 38returns (59) the private IP address for user 24 b to firewall computer32. At this point firewall computer 32 performs the required networkaddress translation (NAT) for user 24 b (i.e., translating a public IPaddress associated with the user on public network 20 to the allocatedprivate IP address). Performing NAT allows a flow of data (60) to beestablished between user computer 24 b and application server 36 b.However, when user 24 b attempts (61) to access server 36 a, forexample, the network layer ACL installed at router 34 or the applicationlayer ACL installed at server 36 a, will block the access request.

[0015] Please note that before firewall computer 32 translates (“tags”)the user access request with the private IP address (via NAT), theaccess control ACLs, for both application layer computers and networklayer devices have already been sent by policy server 38, and installedby the respective computers and network devices of network 30.

[0016] Access control policy may be stored on a storage medium (notshown) connected to policy server 38. The access control policy may bemodified by an authorized manager via a direct connection to policyserver 38 (not shown) and may be modified indirectly by commandsreceived at policy server 38 from an authorized manager associated withone of the server computers 36 a-36 n.

[0017] The access control policy uses “role-based” definitions todetermine what level of access is allowed for a user request based on adefined role for each user. For example, access control policy mayinclude several different roles, such as a “guest” who is denied accessto any server data, a “regular user” who is allowed to read data from aspecific server, a “power user” who is allowed to modify data on aspecific server, and an “administrator” who is allowed to modify data ona specific server and allowed to re-boot that server.

[0018] Each entry in a network layer ACL (shown below), generated bypolicy server 38, includes a “5-tuple”, i.e., a five (5) field filteralong with a “deny” or “allow” action associated with that 5-tuple.

[0019] NETWORK LAYER ACL ENTRY:

[0020] (SIP, DIP, Proto, SPort, DPort) -> Action

[0021] The first field, SIP, stands for the source IP address (in thiscase the private IP address of the user in the private network 30). Thesecond field, DIP, stands for the destination IP address of a server 36a-36 n in the private network. The third field, Proto, stands for atransport layer protocol, such as TCP, UDD, etc. for which this ACL isintended. The fourth field, SPort, stands for the source port of theuser request. The fifth field, DPort, stands for the destination port ofthe server application.

[0022] Exemplary network layer ACL entries, Entry A and Entry B,generated by policy server 38 are shown below.

[0023] ACL Entry A: (192.168.3.10, IpAddrOfAppServer36b , TCP,

[0024] SPort, PortOnAppServer36b) -> “ALLOW”;

[0025] ACL Entry B: (192.168.3.10, *, *, SPort, *) -> DENY.

[0026] ACL Entry A and ACL Entry B correspond to network layer ACLentries that are mapped and generated by policy server 38 for theprevious example shown in FIG. 2. In more detail, ACL Entry A isgenerated to ALLOW access for user requests from source IP address“192.163.8.10” (the private IP address allocated to user 24 b by DHCPserver 40). ACL Entry A also specifies a destination port of servercomputer 36 b, a TCP protocol designation (the network layer of OSI), asource port corresponding to firewall computer 32 and a destination portcorresponding to an application on server computer 36 b. ACL Entry Bwould also be generated along with ACL Entry A. ACL Entry B is generatedto DENY access to all user 24 b requests to any other server besidesserver 36 b. The ‘*’ character included in ACL Entry B is a wildcardcharacter, and is interpreted as all values allowed by the field inwhich the wildcard is used. In ACL Entry B, therefore, all user requestsfrom source address “192.163.8.10” and from the source address offirewall computer 32 are denied access to any server system in privatenetwork 30.

[0027] When a user has finished with an established data flow to aserver computer, for example, firewall computer 32 releases the privateIP address allocated to that data flow and also de-installs the networklayer ACLs. In more detail, firewall computer 32 sends a DHCP releaserequest to policy server 38, and policy server 38 de-installs thenetwork ACL entries associated with the private IP address from all“enforcement points”, such as router 34 (and server 36 b, if server 36 bis capable of network layer filtering). In an embodiment, policy server38 includes a cache (not shown) for storing each network layer ACL.Therefore, in this embodiment, policy server 38 deletes the appropriatenetwork ACL entries from its cache and forwards the DHCP release requestto the DHCP server 40. DHCP server 40 responds to policy server 38 witha release acknowledgement, and policy server 38 forwards the releaseacknowledgement to firewall computer 32.

[0028] The process of generating ACLs according to a centralized accesscontrol policy, hereafter referred to as “process 100”, is not limitedto use with the hardware and software of FIG. 1. It may findapplicability in any computing or processing environment. Process 100may be implemented in hardware, software, or a combination of the two.Process 100 may be implemented in computer programs executing onprogrammable computers or other machines that each include a processorand a storage medium readable by the processor

[0029] The invention is not limited to the specific embodimentsdescribed above. For example, control policy server 38 and DHCP server40 may be implemented on a single computer system performing both theallocation of private IP addresses and the generation of ACL's accordingto the control policy of system

[0030] Other embodiments not described herein are also within the scopeof the following claims.

What is claimed is:
 1. A method comprising: determining a privatenetwork address for a user in connection with the user accessing anetwork resource; determining an access control list entry for the userbased on an access control policy; translating a public network addressto the private network address for the user accessing the networkresource; and allowing or blocking the user access based on the accesscontrol list entry, wherein determining the access control list entry isperformed before translating the public network address to the privatenetwork address.
 2. The method of claim 1, further comprising sendingthe determined access control list entry from a first computer on thenetwork to a second computer on the network before allowing or blockingthe user access.
 3. The method of claim 2, further comprising:generating an access control list entry corresponding to the accesscontrol policy, that entry including the determined private networkaddress.
 4. The method of claim 3, wherein the generated access controllist entry comprises a network level access control list including atleast one of a destination address, a protocol layer designation, asource port, a destination port, the determined network address, and anindication of allowed or denied access to the network resource.
 5. Themethod of claim 2, wherein the determined access control list entrycomprises an application level access control list entry stored onstorage device connected to the first computer.
 6. The method of claim3, wherein determining the network address comprises allocating anetwork address based on a dynamic host configuration protocol (DHCP).7. The method of claim 3, wherein the second computer comprises anetwork layer device, and wherein blocking or allowing access comprisesblocking or allowing access at the network layer device.
 8. The methodof claim 5, wherein the second computer comprises a server computerassociated with the network resource, wherein determining an accesscontrol list further comprises retrieving an application layer accesscontrol list entry stored in a database, and wherein the server computeruses an application layer protocol based on an open systeminterconnection (OSI) model.
 9. The method of claim 5, furthercomprising storing the access control policy on a storage mediumconnected to the first computer in the network, the access controlpolicy including defined roles for each user allowed to access aresource in the network.
 10. The method of claim 3, further comprising:releasing the private network address following completion of the accessto the network resource.
 11. The method of claim 10, further comprising:de-installing a network layer access control entry following completionof the access to the network resource.
 12. An article comprising amachine-readable medium that stores machine-executable instructions, theinstructions causing a machine to: determine a private network addressfor a user in connection with the user accessing a network resource;determine an access control list entry for the user based on an accesscontrol policy; translate a public network address to the privatenetwork address for the user accessing the network resource; and allowor block the user access based on the access control list entry, whereindetermining the access control list entry is performed beforetranslating the public network address to the private network address.13. The article of claim 12, further comprising instructions causing amachine to: send the determined access control list entry from a firstcomputer on the network to a second computer on the network beforeallowing or blocking the user access.
 14. The article of claim 13,further comprising instructions causing a machine to: generate an accesscontrol list entry corresponding to the access control policy, thatentry including the determined private network address.
 15. The articleof claim 14, wherein the generated access control list entry comprises anetwork level access control list including at least one of adestination address, a protocol layer designation, a source port, adestination port, the determined network address, and an indication ofallowed or denied access to the network resource.
 16. The article ofclaim 13, wherein the determined access control list entry comprises anapplication level access control list entry stored on storage deviceconnected to the first computer.
 17. The article of claim 14, whereindetermining the network address comprises allocating a network addressbased on a dynamic host configuration protocol (DHCP).
 18. The articleof claim 14, wherein the second computer comprises a network layerdevice, and wherein blocking or all wing access comprises blocking orallowing access at the network layer device.
 19. The article of claim16, wherein the second computer comprises a server computer associatedwith the network resource, wherein determining an access control listfurther comprises retrieving an application layer access control listentry stored in a database, and wherein the server computer uses anapplication layer protocol based on an open system interconnection (OSI)model.
 20. The article of claim 16, further comprising storing theaccess control policy on a storage medium connected to the firstcomputer in the network, the access control policy including definedroles for each user allowed to access a resource in the network.
 21. Thearticle of claim 14, further comprising: releasing the private networkaddress following completion of the access to the network resource. 22.The article of claim 21, further comprising: de-installing a networklayer access control entry following completion of the access to thenetwork resource.
 23. An apparatus comprising: a first memory thatstores executable instructions; and a first processor that executes theinstructions from the first memory to: determine a private networkaddress for a user in connection with the user accessing a networkresource; determine an access control list entry for the user based onan access control policy; translate a public network address to theprivate network address for the user accessing the network resource; andallow or block the user access based on the access control list entry,wherein determining the access control list entry is performed beforetranslating the public network address to the private network address.24. The apparatus of claim 23, further comprising: a second processorconnected to the first processor, wherein the first processor executesinstructions to: send the determined access control list entry from thefirst processor to the second processor in a network.
 25. The apparatusof claim 24, wherein the first processor executes instructions to:generate an access control list entry corresponding to the accesscontrol policy, that entry including the determined private networkaddress.
 26. The apparatus of claim 25, wherein the determined accesscontrol list entry comprises a network level access control list entryincluding at least one of a destination address, a protocol layerdesignation, a source port, a destination port, the determined networkaddress, and an indication of allowed or denied access to the networkresource.
 27. The apparatus of claim 25, wherein determining the networkaddress comprises assigning a network address based on a dynamic hostconfiguration protocol (DHCP).
 28. The apparatus of claim 25, furthercomprising: a storage medium connected to the first processor, whereinthe determined access control list entry comprises an application levelaccess control list stored on the storage medium.
 29. The apparatus ofclaim 24, wherein the second processor comprises a network layer device.30. The apparatus of claim 29, wherein the network layer device executesinstructions to block or allow access to the network resource based onthe network level access control list entry.